CVE-2015-8440

Vulnerability

This vulnerability exists in Adobe Flash Player versions prior to 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X, as well as before 11.2.202.554 on Linux. It also affects Adobe AIR before 20.0.0.204, Adobe AIR SDK before 20.0.0.204, and Adobe AIR SDK & Compiler before 20.0.0.204. The specific mechanism is via unspecified vectors, allowing attackers to bypass intended access restrictions [1]. It is one of multiple vulnerabilities disclosed in December 2015.

Exploitation

An attacker can exploit this vulnerability remotely without authentication. The attack vector involves delivering a malicious Flash file to the user, typically via a web page or email attachment. The vulnerability is triggered when the user loads the crafted SWF file in an affected Flash Player instance. The exact exploitation steps are not detailed in the references, but it is part of a set of vulnerabilities that can be exploited without user interaction beyond normal browsing [1].

Impact

Successful exploitation allows an attacker to bypass security restrictions, potentially leading to arbitrary code execution in the context of the user running Flash. This could result in full system compromise, including the ability to install programs, view, change, or delete data, or create new accounts with full user rights [1]. Additionally, it may allow denial of service or information disclosure.

Mitigation

Adobe released security updates for Flash Player: version 20.0.0.228 for Windows and OS X, and 11.2.202.559 for Linux. Adobe AIR was updated to version 20.0.0.204. Users should upgrade to these fixed versions immediately. There is no known workaround [1]. The vulnerability was also addressed in Gentoo Linux via GLSA 201601-03, which recommends upgrading to www-plugins/adobe-flash-11.2.202.559 [1].